Alerts

Overview

Get a list of all or filtered alerts. The alerts listed are what remains after alert exclusions are applied by CrowdStrike Falcon.

Configuration

Parameters

parameters.domain will store the value of the API URL, excluding the endpoint paths like /v1/cp/oauth/token or /v1/cp/alerts

Secrets

secrets.client_id will reference the Client ID
secrets.client_secret will reference the Client Secret.

Open the Secret fields and click New secret to create a new one:

Give the secret a Name.
Turn off the Expiration date option.
Click Add new value and paste the secret corresponding to the value.
Click Save.

Learn more about secrets in Onum in this article.

You can now select the secret you just created in the corresponding fields.

After entering the required parameters and secrets, you can choose to manually enter the Falcon API Alerts fields, or simply paste the given YAML:

Toggle this ON to enable a free text field where you can paste your CrowdStrike Falcon API YAML.

withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 5m
  tz: UTC
  format: RFC3339
withAuthentication: true
authentication:
  type: token
  token:
    request:
      method: POST
      url: ${parameters.domain}/oauth2/token
      headers:
        - name: Content-Type
          value: application/x-www-form-urlencoded
      bodyType: urlEncoded
      bodyParams:
        - name: grant_type
          value: client_credentials
        - name: client_id
          value: '${secrets.client_id}'
        - name: client_secret
          value: '${secrets.client_secret}'
    tokenPath: ".access_token"
    authInjection:
      in: header
      name: Authorization
      prefix: 'Bearer '
      suffix: ''
withEnumerationPhase: true
enumerationPhase:
  paginationType: offsetLimit
  limit: 100
  request:
    responseType: json
    method: GET
    url: ${parameters.domain}/alerts/queries/alerts/v2
    queryParams:
      - name: offset
        value: ${pagination.offset}
      - name: limit
        value: ${pagination.limit}
      - name: filter
        value: created_timestamp:>'${temporalWindow.from}'+created_timestamp:<'${temporalWindow.to}'
  output:
    select: ".resources"
    map: "."
    outputMode: collection
collectionPhase:
  variables:
    - source: input
      name: resources
      expression: "."
      format: "json"
  paginationType: none
  request:
    method: POST
    url: ${parameters.domain}/alerts/entities/alerts/v2
    headers:
      - name: Accept
        value: application/json
      - name: Content-Type
        value: application/json
    responseType: json
    bodyType: raw
    bodyRaw: |
      {
        "composite_ids": ${inputs.resources}
      }
  output:
    select: ".resources"
    map: "."
    outputMode: element

This HTTP Pull Listener now uses the data export API to extract events.

Click Create labels to move on to the next step and define the required Labels if needed.

PreviousCollect data from CrowdStrike Falcon NG-SIEM NextEvent Stream

Last updated 3 months ago

Was this helpful?

hashtagOverview

hashtagConfiguration

hashtagParameters

hashtagSecrets

Overview

Configuration

Parameters

Secrets